Review: AirWatch Enterprise MDM for Apple iOS4: Page 3
Each profile is associated with an affected platform, model, OS, and location group. This lets you apply different policies to sets of devices for example, location-specific Wi-Fi settings or prohibiting camera use on iPhones. If desired, profiles can be locked or assigned an "importance" or "sensitivity" level to be used for filtering.
After a platform has been selected, supported profile sections and attributes are displayed. To add to a profile, just select a section (passcode, restrictions, Wi-Fi, VPN, etc) and fill out a form. This part of the GUI is similar to Apple's utility; you can even export AirWatch-generated XML. Although we were unable to generate correct Wi-Fi settings no matter what we tried, AirWatch produced valid XML for most other attributes.
AirWatch's approach makes it easier to maintain complex profiles for a large diverse workforce. Because profiles are not deployed until published, XML can be exported for testing. Once published, profiles may be auto-deployed to every new device by setting Default Profiles for each model/version. Installed profiles can even be temporarily deactivated by checking a box or specifying effective dates (after which they expire).
We found this GUI promising and powerful, but a bit overwhelming. What's the difference between a managed and unmanaged profile? (Managed profiles are installed transparently, while unmanaged profiles require user acceptance.) If a profile previously-removed from a device is updated, will the profile be re-installed? And so on.
AirWatch has done an admirable job here, but we still see room for improvement. First, we'd love a current admin guide (unavailable during our review). Secondly, we would like more visibility into profile-related device events, such as when installation fails. Finally, to avoid frustration and error, we would prefer to see fields like model that are not yet reliably implemented disabled.
Device attributes surfaced in iOS4 are more extensive than in OS 3.x, but the single-most important addition to iOS4 may be over-the-air application deployment. To this end, AppStore and enterprise apps can be managed by selecting the "Provisioning" tab on the AirWatch Device Profile Page (below).
iOS4 provisioning for third-party apps is indirect. AirWatch taps into this by letting you define "Recommended External Applications" for any location group. To add to this list, just supply an app name and iTunes URL. The URL is added to an App Catalog web page hosted by AirWatch for each managed device. However, recommended apps are still downloaded from the AppStore and installed in the usual fashion by iTunes.
iOS4 provisioning for enterprise apps is more direct and ultimately transparent. To install enterprise apps on devices in a given location, create App Profiles. Each profile must be associated with an App ID, version, description, icons, application (IPA) file, and provisioning profile. The IPA file may or may not include a provisioning profile, but only those with separate provisioning profiles can be disabled when MDM relationships are removed. If desired, EULA text, metadata, and screen shots can also be specified here. This info is added to App Catalog pages, but enterprise apps are stored on the AirWatch server and downloaded over-the-air, bypassing iTunes.
These provisioning interfaces let employers skip AppStore review and encourage users to install both third-party and enterprise apps. However, MDM does not currently let you force app install or update. Instead, use the AirWatch dashboard to query profiled and installed apps. You may also wish to direct users to their own App Catalog page by publishing web clip config profiles.
Finally, what about discouraging unwanted app installation? AirWatch supports this by enforcing Blacklist compliance. Blacklists can be defined for any location group, and may contain a list of forbidden device models, OS versions, and/or individual apps.
In theory, Blacklists might be used to prevent ActiveSync by iPhones older than the 3GS or iPads running anything other than iOS4. Blacklists might be used to send a warning SMS to any non-compliant device or even remote wipe that device. However, we had no luck sending an SMS and were told that ActiveSync disablement was still under development. Blacklists were added to AirWatch right before we completed our review, so we expect them to be fleshed out shortly.
In addition to iOS4 MDM features covered here, AirWatch also provides alerting and reporting for Apple devices. For example, we spotted a few interesting reports, such as a passcode compliance report, an encryption compliance report, and a profile compliance report. These reports could be very useful to audit an individual device or entire location group's security posture and identify those needing closer inspection or remediation.
In fact, AirWatch will no doubt add more alerts, reports, and other MDM features over time. Errors encountered early on had disappeared by the time we finished, while a few new errors had surfaced. Overall, AirWatch responded quickly to support requests. However, only major bugs were fixed promptly; minor bugs languished. AirWatch appeared to be focused on rapidly extending Enterprise MDM functionality and not just for iOS4. While this approach offers clear benefits, it also caused some degree of instability for SaaS subscribers like us.
Ultimately, tolerating a bit of on-going change seems like a reasonable trade for turn-key full-featured scalable iOS4 MDM. For just a few dollars per month, AirWatch offers an easy way to secure those "look what I got for Christmas!" iPads returning to the office come January. It might take awhile to master all the details, but most IT admins will quickly grasp AirWatch's use of iOS4 MDM to remotely manage just about any new iPhone, iPad, or iPod touch.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. Since 1997, Lisa has been involved in mobile workforce policy development and best practices, ranging from wireless/VPN security to portable data defenses.
Follow eSecurityPlanet on Twitter: @eSecurityP.